usdt-m-futures

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires constructing authenticated requests (including AccessKeyId in query strings and HMAC-signing with the secretKey), which forces the agent to receive and embed API keys/signatures (derived from secrets) in generated requests, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for cryptocurrency derivatives trading via the HTX API and includes authenticated endpoints for executing financial actions. It lists concrete POST endpoints to place, batch, cancel, and manage orders (e.g., /linear-swap-api/v1/swap_order, /linear-swap-api/v1/swap_batchorder, trigger/tpsl/track order endpoints), endpoints to transfer funds between accounts (e.g., /v2/account/transfer, /linear-swap-api/v1/swap_master_sub_transfer, /linear-swap-api/v1/swap_transfer_inner), and requires API key/secret and HMAC signing. It therefore provides direct capabilities to execute market orders and move funds, not just generic queries.